Building Secure Web Applications Infographic

Neglecting to take proper security measures at the application layer is one of the most common causes of data breaches, yet many companies still leave their applications unprotected. Securing your applications begins with developer training on the risks applications face and the methods required for vulnerability prevention. This infographic focuses on defining these risks and combating common flaws.

Add this Infographic to Your Website for FREE!

Small Version

Large Version

the co$t of a data breach averages $5.5 million or $194 per customer record

Companies that take security seriously by employing a Chief Information Security Officer can reduce the cost per customer record by up to 62%.

So…what can Web developers be doing to PREVENT these data breaches and Web application vulnerabilities from happening in the first place?

The OWASP Top 10 Application Security Risks

Injection

Cross-Site Scripting (XSS)

Broken Authentication and Session Management

Insecure Direct Object References

Cross-Site Request Forgery (CSRF)

Security Misconfiguration*

Insecure Cryptographic Storage

Failure to Restrict URL Access

Insufficient Transport Layer Protection*

Unvalidated Redirects and Forwards

*May be outside the developer’s control

Application Security Checklist:

(This is not a comprehensive list, as application security is a constant process)

Does the application properly encode or escape data prior to exchanging it with external components such as a database, LDAP server, web browser, etc?

Does the application encrypt sensitive information such as authentication credentials, sensitive customer data, etc. prior to transmitting such information across the network?

Does the application comply with the organization's existing security standards?

Does the application use thread-safe techniques to protect against race conditions that could harm system availability and/or data integrity?

Does the application ensure that numeric values are within expected ranges that do not result in unanticipated consequences when used in calculations or control structures?

Does the application properly control access to the server's file system?

Does the application use currently accepted, industry-standard cryptographic algorithms?

Has the application been deployed with secure default permissions?

Does the application protect against brute force attacks?

Does the application validate all input including parameters, arguments, cookies, anything read from the network, environment variables, request headers, URL components, e-mail, files, database records and any external system that provides data to the application?

Does the application verify the origin of sensitive requests through the use of unpredictable, unique nonces as hidden input form values?

Does the application fail gracefully and securely without divulging details of the underlying implementation to the end user?

Does the application store state information on the server side only or ensure client-side state variables have not been tampered with?

Does the application perform access control checks in a consistent manner across all potential execution paths?

Is the application free of hardcoded credentials and cryptographic keys?

Does the application use sufficient randomness for generating session ids or in other security-sensitive contexts?

Specific Examples of How to Combat Two Common Flaws

XSS (Cross Site Scripting) Flaws

You May Be Vulnerable If…

Input coming into your applications is not validated

Output to the browser is not properly escaped

How to Prevent It

Use the appropriate escaping method for the context you are in. Here are some examples:

HTML encode all user input returned as part of HTML

URL encode all user input returned as part of URLs (convert ?, &, /, <, >, and spaces to their respective URL encoded equals)

Nate joined Veracode as a marketing specialist in early 2012. He is one of Veracode’s first co-ops from Northeastern University, where he is majoring in entrepreneurship and new venture management while minoring in music. He has various responsibilities at Veracode, including blogging, SEO, and infographic design.

Comments (1)

solak | January 17, 2014 1:52 pm

Thank you for including the text in textual form for search indexing and screen readers.

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Your name *

E-mail *

The content of this field is kept private and will not be shown publicly.

Homepage

Comment *

Never Miss a Post!

Get the latest articles from Veracode delivered to your inbox.

Veracode is a Leader in the Magic Quadrant

Read the "Magic Quadrant for Application Security Testing" (July 2014) to find out why there is a critical need to reduce risk in Web, cloud and mobile applications.